Is Online Express PCI compliant?
Online Express is PCI compliant, but the webpage where the Online Express form is embedded may not be PCI-compliant.  Because of this, we highly encourage Online Express customers to take appropriate security measures on the webpages where their Online Express forms will be embedded.  

How can I confirm my webpage is PCI compliant?
For further information regarding how your organization can  ensure your website is PCI compliant, please refer to the PCI Security Standards Council.


Why is there a "Security Warning" on my donation form dashboard in the Online Express plugin?
This means that your organization has one or more Online Express forms embedded on a webpage where SSL is not enabled.


Am I required to enable SSL?  If so, which vendor should I use?
While enabling SSL is not “required”, this is suggested as a means of adding an additional layer of security so that visitors to your website are assured that the webpage they are accessing is secure. 

How will embedding my forms in a non-SSL enabled webpage impact my donors?
If your Online Express form is embedded on a webpage where SSL is not enabled, visitors who navigate to the webpage where your Online Express form is embedded will see an "Insecure" warning in their web browser.  While donors will be able to successfully and securely make donations to your forms, the "Insecure" warning might deter potential donors from submitting a donation to the form. 

Which vendor should I use when purchasing my SSL certificate?  How do I enable SSL on my webpage(s)?
If your organization has questions regarding what vendor to use when purchasing your SSL certificate or how to enable SSL, this is beyond Blackbaud’s scope of support, so we recommend contacting a qualified IIS professional

Are there any other security measures I should take with my Online Express forms?
For further information regarding what to consider before embedding your Online Express form into your website, please visit our Blackbaud Online Express Tips for protecting your donor page
which further discusses the following topics:
  • Enable Secure Sockets Layer (SSL)
  • Comply with the Payment Card Industry Data Security Standard (PCI DSS)
  • Limit page content
  • Do not render editable data
How do Online Express forms function with my website and Blackbaud's servers?  Is it secure?
  • The webpage where the Online Express JavaScript is embedded is considered the OLX donation/event registration/membership/sign-up page
  • The JavaScript is the Online Express form
The donation/event registration/membership registration/sign-up page lives on the Media Template web server where your organization's website is hosted, but the Online Express form doesn’t technically live there. All that lives on the Media Temple web server/page related to Online Express is a small script. When the donor/registrant/member navigates to the donation/event registration/membership registration/sign-up page, all of the page contents, including the Online Express script, get sent from the Media Temple server to the donor’s browser.
 
Then, the Online Express script runs in the donor’s browser and its job it to establish the secure connection between the donor’s browser and the secure Blackbaud server where the Online Express form details live. When that connection is made, the Blackbaud server responds by sending the HTML and JavaScript required for the OLX form to render and function back to the donor’s browser and then the Online Express form shows up on-screen.
 
The connection between the donor’s browser and the Blackbaud server is encrypted via SSL; even if the page where your organization embeds the Online Express script isn’t protected by a valid SSL certificate.  So the important data connection is secured anyway, but donors have no way of knowing that and if they see a gigantic “insecure” warning in their browser, this might deter potential donors from submitting a donation to the form. This is one of the main reasons why we highly encourage all Online Express customers to have an SSL certificate enabled on any page where they embed an Online Express form.  This is also why we say “While Online Express IS PCI compliant, the webpage where you’re embedding your Online Express form may not be compliant.”